[webkit-gtk] Fix CVE-2023-32435 for webkitgtk 2.38.6

Michael Catanzaro mcatanzaro at redhat.com
Thu Sep 7 05:41:29 PDT 2023

On Thu, Sep 7 2023 at 11:29:58 AM +0800, 不会弹吉他的KK 
<kai.7.kang at gmail.com> wrote:
> For Yocto project whick I am working on, packages(recipes) can NOT be 
> updated with
> major version upgrade on Yocto released products/branches. So we 
> still have to fix such
> kind of CVEs. But for master branch, webkitgtk will be upgraded as 
> soon as it released.

I'm going to recommend a different approach: don't fix any CVEs and 
instead prominently document that the version of WebKitGTK distributed 
by Yocto does not receive security updates. It's really better to avoid 
misplaced expectations; when you backport security fixes, people assume 
incorrectly that the package is receiving comprehensive security 
backports and is safe to use, but that's just not true. i.e. your 
security updates actually harm security because they mess up users' 
expectations. It's better to just be clear about it. We have this same 
problem in RHEL and are slowly moving towards doing no updates there as 

I would recommend removing WebKitGTK and its dependencies from Yocto 
altogether if they have rules that prohibit you from releasing proper 
security updates just because the version number is higher. Anyway, 
good luck.


More information about the webkit-gtk mailing list